Home Hacking News A Bug in GitHub recorded user passwords in plaintext

A Bug in GitHub recorded user passwords in plaintext

by Harikrishna Mekala

GitHub has sent out emails to a select number of users to reset their password because of a bug affecting users passwords. This bug gives access of the passwords to the employees of the company who have access to the production environment logs. The company said that only a small number of users were affected by this bug.

The passwords of users are normally hashed by a Bcrypt algorithm but a bug has caused passwords of the users show up in the logs in plaintext. The users who have recently changed their password were affected by this bug. This bug was discovered during a routine audit. The company made sure that their servers weren’t hacked as a precaution. A lot of users shared the email from Github on Twitter. The company said that the number of users affected will be very low.

In the past, the company has sent emails to the customers to remove same passwords for different platforms. The full text of email Github sent out today was:

“During the course of regular auditing, GitHub discovered that a recently introduced bug exposed a small number of users’ passwords to our internal logging system, including yours. We have corrected this, but you’ll need to reset your password to regain access to your account.

GitHub stores user passwords with secure cryptographic hashes (bcrypt). However, this recently introduced bug resulted in our secure internal logs recording plaintext user passwords when users initiated a password reset. Rest assured, these passwords were not accessible to the public or other GitHub users at any time. Additionally, they were not accessible to the majority of GitHub staff and we have determined that it is very unlikely that any GitHub staff accessed these logs. GitHub does not intentionally store passwords in plaintext format. Instead, we use modern cryptographic methods to ensure passwords are stored secure in production. To note, GitHub has not been hacked or compromised in any way.

You can regain access to your account by resetting your passwords using the link below::

https://github.com/password_reset”

Take your time to comment on this article.

You may also like